Active attacks targeting a critical vulnerability in older versions of Microsoft's Internet Explorer browser have been carried out by an experienced gang of hackers. And over the past four years, the group has penetrated the defenses of Google and dozens of other companies using similar zero-day exploits.

The latest attack, which works against current IE versions of 6, 7, and 8, was found late last month on the CFR.org and Capstoneturbine.com, according to a variety of researchers (including Eric Romang and those from the FireEye Malware Research Lab). Such "watering hole" attacks get their name because they attempt to plant drive-by exploits into sites frequented by the people the attackers hope to infect, similar to a hunter targeting its prey as it drinks water.

According to a report issued late last week by researchers from antivirus provider Symantec, the attackers are none other than the Elderwood Gang. That's the same group that used a potent zero-day vulnerability in IE in 2010 to breach the defenses of Google and 34 other companies. As Ars reported in September, Elderwood operatives have since wielded a seemingly unlimited number of previously unknown exploits, mainly in an espionage campaign aimed at collecting source code, engineering blueprints, and other forms of intellectual property.

"It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hold attacks and we expect them to continue to do so in the new year," the Symantec researchers wrote in their most recent report. The number of infected machines remains limited, indicating that the attack is highly targeted.

Besides a steady stream of reliable attacks that exploit previously unknown vulnerabilities in IE and other widely used software packages, the Elderwood hackers exhibit other signs of above-average sophistication. The attacks set a cookie on the PC of each potential victim to ensure it's exposed to the code only once. That helps keep the campaign stealthy. The latest exploit also conceals malicious payloads in image files that are unique to each attack, measures that also make it hard for researchers to uncover the campaign.

The number of victims affected, the duration of the campaign, and the difficulty of identifying and reliably exploiting zero-day vulnerabilities indicate the hackers are likely backed by a large criminal organization or a nation state itself. At least that's what Symantec researchers have concluded, though some independent researchers have disagreed with that assessment.

Another testament to the effectiveness of the Elderwood gang is the duration of attacks. Romang has found signs the compromise of the CFR.org has been active since at least December 7, a full three weeks earlier than many other researchers suspected. The Capstone Turbine website may have been compromised since the middle of September, when it appears to have been used to exploit a separate vulnerability. The findings reinforce conclusions drawn from a recent Symantec report that zero-day attacks are more common and last longer than many security researchers previously thought.

Avoiding these types of attacks can be challenging, since they target people visiting legitimate websites and rarely provide any visible sign that something is amiss. That's especially true in the early stages of an attack, before AV packages detect the exploits.

In the current attack, the easiest way to prevent attacks is to use versions 9 or 10 of IE, or to use a different browser altogether. Those who can't upgrade to one of those versions should install a one-click fixit app that Microsoft has made available pending the release of a final security update.

Not exactly. The cold war was all about constant threat of using mass destruction weapons. Any use would mean destruction of both sides of conflict, regardless of who attacked first. The real war never came, no attack were carried, this is why it was cold. If you look at it as an espionage, it always been present, recently it moved to cyberspace. If you look at it as war, the war is real with attacks being carried. Cold war seen no direct attacks.

Not exactly. The real war never came, no attack were carried, this is why it was cold.

On the contrary, the Cold War did occasionally turn 'hot' (ever hear of the Bay of Pigs or the assassination of Soviet dissidents?) and almost turned nuclear hot (hear of the Cuban missile crisis?). Just as the Cold War was mostly skullduggery and politics, so it is the Cyberwar era now. But just as with the Cold War, there's a risk that tensions will eventually spill over into IRL war.

Not exactly. The real war never came, no attack were carried, this is why it was cold.

On the contrary, the Cold War did occasionally turn 'hot' (ever hear of the Bay of Pigs or the assassination of Soviet dissidents?) and almost turned nuclear hot (hear of the Cuban missile crisis?). Just as the Cold War was mostly skullduggery and politics, so it is the Cyberwar era now. But just as with the Cold War, there's a risk that tensions will eventually spill over into IRL war.

The key words from your comment is "almost" and "risk". Cyberwar still misses the key element of cold war what was threat of mutual destruction that stopped any direct military conflicts from escalating. There were many wars (Afghanistan, Vietnam), but USSR (Warsaw Pact) and USA (NATO or "West") never declared war against each other nor any rockets were fired. The cyber war is just another act of centuries long rivalry between countries and nations, it's not cold war #2.

"It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hold attacks and we expect them to continue to do so in the new year," the Symantec researchers wrote in their most recent report. The number of infected machines remains limited, indicating that the attack is highly targeted.

Do you read your own past articles when you quote them? From http://arstechnica.com/tech-policy/2010 ... censorship, "These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers."

But whoever reads the current article will see "hacked Google", "penetrated the defenses of Google"; VERY different thing.

Is there any reason to suppose that this "Elderwood" group only targets IE, or even just Windows?

Going by the operating style which they have shown so far, I for one would expect that they have a nice store of Zero Day exploits against Firefox, Opera, Chrome as well. And they likely don't limit themselves to Windows, either -- or at least, I would be rather surprised if they do.

I would recommend avoiding Firefox entirely since it lacks a sandbox. Consider using Chrome with its sandboxed html renderer & flash & pdf reader. As a (less secure) alternative, IE9/10 has a less restrictive sandbox, but better html5 rendering performance.

Do you read your own past articles when you quote them? From http://arstechnica.com/tech-policy/2010 ... censorship, "These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers."

But whoever reads the current article will see "hacked Google", "penetrated the defenses of Google"; VERY different thing.

I was thinking the same thing. I was like "how do you hack Google? They know everything."

Not to say it isn't possible, I'd just feel bad for who ever was foolish enough to try it. Just imagine the possible repercussions...

How are they infecting the watering holes? I find that to be the most interesting aspect of these campaigns.

What I find interesting is how these criminals get names like 'the Elderwood gang' and how is it known which 'gang' is responsible? If so much is known, you'd think they'd be easy to identify. It's not like they're hiding out in The Hole In The Wall.